diff --git a/defaults/main.yml b/defaults/main.yml
index 2b59bd8..7d7a40a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,5 +5,8 @@ acme_notification_email: 'root@example.org'
 acme_reload_services: []
 acme_restart_services: []
 
+# configure acmetool systemd service
+acme_systemd_start_after: 'apache2.service nginx.service'
+
 # should we do a version check? (recomended)
 submodules_versioncheck: false
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..eabe42f
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: systemctl restart acmetool
+  become: true
+  ansible.builtin.systemd:
+    name: 'acmetool.service'
+    state: 'restarted'
+    enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
index aab2c27..30d9f64 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,6 +6,9 @@
 - name: install acmetool
   ansible.builtin.include_tasks: install.yml
 
+- name: configure systemd
+  ansible.builtin.include_tasks: systemd.yml
+
 - name: configure acmetool
   ansible.builtin.include_tasks: configure.yml
 
diff --git a/tasks/systemd.yml b/tasks/systemd.yml
new file mode 100644
index 0000000..4c74e47
--- /dev/null
+++ b/tasks/systemd.yml
@@ -0,0 +1,17 @@
+---
+- name: deploy systemd service file
+  become: true
+  ansible.builtin.template:
+    src: 'templates/acmetool.service.j2'
+    dest: '/lib/systemd/system/acmetool.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: systemctl restart acmetool
+
+- name: force systemd to reread configs and start acmetool
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: 'acmetool.service'
+    state: 'started'
+    enabled: true
diff --git a/templates/acmetool.service.j2 b/templates/acmetool.service.j2
new file mode 100644
index 0000000..0154e1f
--- /dev/null
+++ b/templates/acmetool.service.j2
@@ -0,0 +1,21 @@
+[Unit]
+Description=Reconcile Let's Encrypt certificates
+Documentation=man:acmetool(8)
+After=nss-lookup.target
+After={{ acme_systemd_start_after }}
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/acmetool --batch reconcile
+TimeoutStartSec=5min
+CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ReadWritePaths=/var/lib/acme /run/acme /etc/nginx
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/vars/main.yml b/vars/main.yml
index 315b499..f178569 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -33,5 +33,5 @@ acmetool__restart_hook:
     - 'files'
 
 # versionscheck
-playbook_version_number: 27   # should be a integer
+playbook_version_number: 28   # should be a integer
 playbook_version_path: 'do1jlr.role-acmetool.version'